RSA Cybersecurity Maturity Assessment Survey

How mature is your organization’s cybersecurity program? Don’t know? Take our free evaluation derived from the NIST Framework for Improving Critical Infrastructure Cybersecurity. The Framework was created through collaboration between industry and government to promote the protection of critical infrastructure and manage cybersecurity-related risk.

RSA Cybersecurity Maturity Assessment Survey

Not Currently Done: My organization does not currently do this.

Ad Hoc: My organization handles this in an ad hoc or case-by-case manner. Our practices in
this area are not formalized and are most often handled in a reactive manner without using
repeatable processes.

Progressing:My organization has progressed from a purely ad hoc or case-by-case approach in this area, but is in the early stages of formalizing its practices and executing them on an organization-wide basis.

Mature:My organization's security practices in this area are mature and are generally consistently repeated on an organization-wide basis.

Mastered: My organization's security practices in this area are highly mature, adaptive, risk focused, enterprise in scope, and almost always based-on lessons learned from internal experiences, quantitative metrics, or externally sourced best practices.

What is your organization's primary base of operations?

Country*

Industry*

Employee Size*

Company Position *

Functional Group*

Annual Security Budget*

How many security incidents that
negatively impacted your organization's business
operations within the last 12 months?*

Annual Security Budget*

Response Key

Not Currently Done My organization does not currently do this.

Ad Hoc: My organization handles this in an ad hoc or case-by-case manner. Our practices in
this area are not formalized and are most often handled in a reactive manner without using
repeatable processes.

Progressing:My organization has progressed from a purely ad hoc or case-by-case approach in this area, but is in the early stages of formalizing its practices and executing them on an organization-wide basis.

Mature:My organization's security practices in this area are mature and are generally consistently repeated on an organization-wide basis.

Mastered: My organization's security practices in this area are highly mature, adaptive, risk focused, enterprise in scope, and almost always based-on lessons learned from internal experiences, quantitative metrics, or externally sourced best practices.

How does your
organization catalog, assess, and mitigate risks?

Not Currently Done

Ad Hoc

Progressing

Mature

Mastered

How does your
organization assess risks associated with vulnerabilities and
security incidents as well as those discovered from threat
intelligence sources?

Not
Currently Done

Ad Hoc

Progressing

Mature

Mastered

How does your
organization create & maintain a catalog of assets and their
business criticality?

How does your
organization maintain & support the operation of critical
information resources?

Not Currently Done

Ad Hoc

Progressing

Mature

Mastered

How does your
organization monitor & audit IT operations to ensure security
and resilience?

Not Currently Done

Ad Hoc

Progressing

Mature

Mastered

How does your
organization monitor network, user, end point, server, and
application activity to both detect potential security issues
and to verify the effectiveness of the organization's preventive
controls?

Not Currently Done

Ad Hoc

Progressing

Mature

Mastered

How does your
organization test, manage, prioritize, & communicate your
responses to security incidents that have the potential to
negatively effect your operations?

Not Currently Done

Ad Hoc

Progressing

Mature

Mastered

How does your
organization prevent the expansion of a security incident and
vulnerabilities, mitigate their effects, and ultimately
eradicate them?